Impact
A missing permission check in Android's MmsSmsProvider.java allows applications to read sensitive MMS and SMS data without having the proper authorization. The flaw enables local disclosure of private information, as no additional privileges or user interaction are required. It is identified as CWE‑862, an authorization failure that directly leaks confidential data.
Affected Systems
All Android devices that include the MmsSmsProvider component are potentially affected, as outlined in the Android 17 security bulletin referenced by Google. Devices running builds of Android that have not received the latest security update may expose users to this vulnerability.
Risk and Exploitability
The CVSS score of 10 reflects the maximum severity for a local privilege issue that causes data exposure. The EPSS score of less than 1% indicates a very low probability of active exploitation at the present time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an application runs on the device; the missing permission check can be triggered by any app, making the risk appear local but broad across installations.
OpenCVE Enrichment